cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,932 Commits 1 Branch 0 Tags 11 MiB
99e8fb373e
Commit Graph

2932 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Even Rouault
99e8fb373e * libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32 
overflows in multiply_ms() and add_ms().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558
Credit to OSS-Fuzz
 2017-05-13 18:29:38 +00:00
Even Rouault
0a6763b5a0 * libtiff/tif_color.c: avoid potential int32 overflow in 
TIFFYCbCrToRGBInit()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533
Credit to OSS-Fuzz
 2017-05-13 18:17:34 +00:00
Even Rouault
0a5c524577 * libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT 
mode with tif_rawdataloaded when calling TIFFStartStrip() or
TIFFFillStripPartial(). This avoids reading beyond tif_rawdata
when bytecount > tif_rawdatasize.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545.
Credit to OSS-Fuzz
 2017-05-13 15:34:06 +00:00
Even Rouault
2d7b1f8c16 * libtiff/tif_read.c: TIFFFillStripPartial(): 
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds.
Credit to OSS-Fuzz (locally run, on GDAL)
 2017-05-12 21:12:24 +00:00
Even Rouault
76084fb831 * libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(), 
avoid potential integer overflows with read_ahead in
CHUNKY_STRIP_READ_SUPPORT mode. Should
especially occur on 32 bit platforms.
 2017-05-12 20:16:37 +00:00
Even Rouault
80ee713d88 Rename variable added in previous commit to avoid symbol clash 2017-05-10 19:54:54 +00:00
Even Rouault
c9a6cfc51a * libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile(): 
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds and non-mapped cases.
Credit to OSS-Fuzz (locally run, on GDAL)
 2017-05-10 19:38:49 +00:00
Even Rouault
328189565b * libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory 
leak when the underlying codec (ZIP, PixarLog) succeeds its
setupdecode() method, but PredictorSetup fails.
Credit to OSS-Fuzz (locally run, on GDAL)
 2017-05-10 15:21:16 +00:00
Even Rouault
8fb8265260 * libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number 
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation.
 2017-05-10 13:37:19 +00:00
Even Rouault
d606ea22bb * tools/tiff2bw.c: close TIFF handle in error code path. 
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677
 2017-04-28 18:08:47 +00:00
Even Rouault
fa55777370 * litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file. 
Patch by Alan Coopersmith  + complement by myself.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673
* tools/fax2tiff.c: emit appropriate message if the input file is
empty. Patch by Alan Coopersmith.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672
 2017-04-27 19:50:01 +00:00
Even Rouault
bb30ee4f09 * libtiff/tif_ojpeg.c: fix potential memory leak in 
OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable
and OJPEGReadHeaderInfoSecTablesAcTable
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670
 2017-04-27 17:29:26 +00:00
Even Rouault
697bfd9f39 * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD 
mode (ie default) when there is both a StripOffsets and
TileOffsets tag, or a StripByteCounts and TileByteCounts
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689
* tools/tiff2ps.c: call TIFFClose() in error code paths.
 2017-04-27 15:46:22 +00:00
Even Rouault
8a752e1e3a * libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7 
-Wimplicit-fallthrough warnings.
 2017-02-25 17:05:12 +00:00
Even Rouault
19a159d7c4 * libtiff/tif_pixarlog.c: fix memory leak in error code path of 
PixarLogSetupDecode(). Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2665
 2017-02-18 20:30:26 +00:00
Even Rouault
09a7433335 * libtiff/tif_lzw.c: in LZWPostEncode(), increase, if necessary, the 
code bit-width after flushing the remaining code and before emitting
the EOI code.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=1982
 2017-02-18 18:46:00 +00:00
Even Rouault
62473b596b * libtiff/tif_jpeg.c: only run JPEGFixupTagsSubsampling() if the 
YCbCrSubsampling tag is not explicitly present. This helps a bit to reduce
the I/O amount when te tag is present (especially on cloud hosted files).
 2017-01-31 13:02:27 +00:00
Even Rouault
55e5962794 * tools/raw2tiff.c: avoid integer division by zero. 
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631
 2017-01-14 13:12:33 +00:00
Even Rouault
ab7f27a984 * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable, 
OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable
 2017-01-12 19:23:20 +00:00
Even Rouault
ad7aea728d * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable 
when read fails.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
 2017-01-12 17:43:25 +00:00
Even Rouault
d043ca1be9 * libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in Encode 
functions instead of -1 when TIFFFlushData1() fails.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130
 2017-01-11 20:33:35 +00:00
Even Rouault
480167a350 * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and 
cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
http://bugzilla.maptools.org/show_bug.cgi?id=2657
 2017-01-11 19:25:44 +00:00
Even Rouault
f5858f50b5 Fix commit message 2017-01-11 19:03:18 +00:00
Even Rouault
33e002a170 * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc() 
* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
initialize tif_rawdata.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
 2017-01-11 19:02:49 +00:00
Even Rouault
537cd1da18 Initialize variable to fix MSVC warning (caused by previous commit) 2017-01-11 17:48:11 +00:00
Even Rouault
a48c640a01 * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to 
avoid UndefinedBehaviorSanitizer warning.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658
 2017-01-11 16:38:26 +00:00
Even Rouault
50b48786d5 * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer 
addition in TIFFReadRawStrip1() in isMapped() case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
 2017-01-11 16:33:34 +00:00
Even Rouault
153418c943 * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid 
undefined behaviour caused by invalid shift exponent.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
 2017-01-11 16:13:50 +00:00
Even Rouault
d2e6964efc * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings 
of double to other data types to avoid undefined behaviour if the output range
isn't big enough to hold the input value.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
http://bugzilla.maptools.org/show_bug.cgi?id=2642
http://bugzilla.maptools.org/show_bug.cgi?id=2646
http://bugzilla.maptools.org/show_bug.cgi?id=2647
 2017-01-11 16:09:02 +00:00
Even Rouault
a39f613104 * libtiff/tif_dirread.c: avoid division by floating point 0 in 
TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
and return 0 in that case (instead of infinity as before presumably)
Apparently some sanitizers do not like those divisions by zero.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644
 2017-01-11 13:28:01 +00:00
Even Rouault
9f839d9233 * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace 
assertion by runtime check to error out if passed value is strictly
negative.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535

* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
caused double free.
Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
 2017-01-11 12:51:59 +00:00
Even Rouault
20dd00743c * libtiff/tif_jpeg.c: avoid integer division by zero in 
JPEGSetupEncode() when horizontal or vertical sampling is set to 0.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653
 2017-01-11 12:15:01 +00:00
Even Rouault
553d4c5d05 * libtiff/tif_jpeg.c: increase libjpeg max memory usable to 
10 MB instead of libjpeg 1MB default. This helps when creating files
with "big" tile, without using libjpeg temporary files.
Related to https://trac.osgeo.org/gdal/ticket/6757
 2017-01-03 17:22:49 +00:00
Even Rouault
6d97ea6dcc * tools/tiff2pdf.c: avoid potential heap-based overflow in 
t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
 2016-12-20 17:28:17 +00:00
Even Rouault
5e95f6a34c * tools/tiff2pdf.c: avoid potential invalid memory read in 
t2p_writeproc.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
 2016-12-20 17:24:35 +00:00
Even Rouault
7fb75582f4 * tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger 
unspecified behaviour.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638
 2016-12-20 17:13:26 +00:00
Even Rouault
7d919c7849 * libtiff/tif_getimage.c: fix potential memory leaks in error code 
path of TIFFRGBAImageBegin().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2627
 2016-12-18 22:28:42 +00:00
Even Rouault
732f8e0b46 * tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode 
on a paletted image. Note: this fix errors out before the overflow
happens. There could probably be a better fix.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
 2016-12-18 10:37:59 +00:00
Even Rouault
f9f8686c7d * libtiff/tiffio.h, libtiff/tif_getimage.c: add TIFFReadRGBAStripExt() 
and TIFFReadRGBATileExt() variants of the functions without ext, with
an extra argument to control the stop_on_error behaviour.
 2016-12-17 22:33:11 +00:00
Even Rouault
0a85b00c8b * tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW 
and PSDataColorContig). Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
http://bugzilla.maptools.org/show_bug.cgi?id=2634.
 2016-12-17 19:45:28 +00:00
Lee Howard
709f14f258 HylaFAX not Halyfax 2016-12-14 18:36:27 +00:00
Even Rouault
6e3867b3e6 Fix spelling in ChangeLog 2016-12-13 18:27:47 +00:00
Even Rouault
27d6152ddd * libtiff/tif_fax3.h: revert change done on 2016-01-09 that made 
Param member of TIFFFaxTabEnt structure a uint16 to reduce size of
the binary. It happens that the Hylafax software uses the tables that
follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
TIFFFaxBlackTable), also they are not in a public libtiff header.
Raised by Lee Howard.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636
 2016-12-13 18:15:48 +00:00
Even Rouault
a3196dff73 * html/man/Makefile.am: remove thumbnail.1.html and rgb2ycbcr.1.html 
from installed pages since the corresponding utilities are no longer
installed. Reported by Havard Eidnes
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606
 2016-12-04 17:56:18 +00:00
Even Rouault
ef0803fc75 * libtiff/tif_write.c: fix misleading indentation as warned by GCC. 2016-12-03 21:57:44 +00:00
Even Rouault
2766c8583d * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check. 
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
 2016-12-03 16:50:02 +00:00
Even Rouault
bae8284136 * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based 
buffer overflow.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
 2016-12-03 16:40:01 +00:00
Even Rouault
b1e5ae5984 * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is 
missing.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
 2016-12-03 15:44:15 +00:00
Even Rouault
f703a4c7b3 * man/Makefile.am: remove thumbnail.1 and rgb2ycbcr.1 from installed man 
pages since the corresponding utilities are no longer installed.
Reported by Havard Eidnes
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606
 2016-12-03 15:39:49 +00:00
Even Rouault
1f7151900c * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called, 
limit the return number of inks to SamplesPerPixel, so that code that parses
ink names doesn't go past the end of the buffer.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599


Reported by Agostino Sarubbo.
 2016-12-03 15:30:31 +00:00